Don't use Cloudflares 1.1.1.1 on servers

4•tmikaeld•4h ago

We've gotten rate-limited out of the blue on clustered development servers in the past 3 years now, this last one was on servers we setup 830 days ago, before we knew that getting rate-limited/banned on DNS servers where even possible. The worst thing about the last incident was that we entered a death spiral, DNS resolution failing started a logging job, that failed (due to DNS resolution failing to call log server) that then started a job about the failing DNS resolution.. You get the gist..

Of course, this is an issue of engineering and code, not only a rate-limiting issue.

However, many developers rely and depend on upstream DNS resolution to "Just Work" when you add it to a server, which has been the case with Googles DNS servers for the past 15+ years that I've been a sysop. I'm just hoping that this time, this will get SOME attention, because either you want dev-ops to use Cloudflare DNS on servers or you don't - and if you don't - there should be an official warning that this WILL happen, you WILL get rate-limited eventually.

Comments

gertop•4h ago

> However, many developers rely and depend on root DNS resolution to "Just Work" when you add it to a server

As a sysops you're probably aware that neither Google nor CloudFlare are DNS root servers.

Using actual root servers through your own resolver would have avoided this issue. Bind doesn't even need any config for that use case.

tmikaeld•3h ago

Of course, it depends on the use-case, what I meant was "upstream DNS". I've edited.

phillipseamore•3h ago

What kind of volume was this? I have a server that does some rather specific DNS monitoring resulting in millions of unique lookups with 1.1.1.1 a day.

tmikaeld•2h ago

That's the frustrating part of this and the inconsistency, we're doing benchmarks one day, making thousands of lookups, adding/removing domains, then during normal day operations we're getting blocked.

phillipseamore•2h ago

Is this only DNS or have issues with accessing CF networks? Do you own the subnet the server is on is it shared with others? Wondering if this is because of other traffic from the subnet and also affects you.

tmikaeld•1h ago

These are on spread out external IPs (VPSs) so not within CF networks or specific IP subnets. The common denominator is that at certain bursts of traffic, we get blocked.

If this had some kind of pattern we could avoid or improve, I wouldn't even bring it up.

Istio 1.26.0

"Blackford PI" – a retro detective mystery indie game

I Coded ANOTHER Profitable App SOLO (step by step / from scratch / with AI) [video]

Non-Obvious Problems

Trump's stablecoin chosen for $2B Abu Dhabi investment in Binance

American Panopticon

JavaScript Temporal – is it here?

RevOps and Data when scaling from Seed to Series C+

iVentoy installing unsafe Windows Kernel drivers

Gravity generated by four one-dimensional unitary gauge symmetries

UK experiments to reflect sunlight one step closer

Show HN: FeedBagel – RSS Feed Finder API with AI-Categorized Directory

Show HN: Data Enrichment with AI for Pandas DataFrame

Xenon is an open source universal game cheating framework C++

AI Is Making Developers Lazy: RIP Core Coding Skills

Platform Power Is Underrated

Where Are the Small Phones?

Cheap SSL Certificates

Building a Regex Engine

Navy finds something the LCS is good at: Stopping drug smuggling

Show HN: An AI-first visual editor using GPT-4o's GPT-image-1 model

Amazon to Invest $4B in Chile AWS Data Centers

Show HN: One-Line Installer for Cursor on Linux

Beautiful Concurrency (2007) [pdf]

Efforts Grow to Thwart mRNA Therapies

OSS: Two Steps Forward, One Step Back

Reddit will tighten verification to keep out human-like AI bots

Bird flu in cats points to risk of another pandemic

WhatsApp provides no cryptographic management for group messages

Agatha Christie, Who Died in 1976, Will See You in Class